rep

The Windows ETW event source for DNS returns incorrect QueryResults when the DNS server sends additional A / AAAA records in the "ADDITIONAL" section of the DNS response packet.

To fix, the code responsible for putting together the QueryResults value needs to only take into account records from the ANSWER section.

=============== ETW Event ===============

<Event MSec=  "6447.1483" PID="7596" PName=  "msedge" TID="5392" EventName="EventID(3008)" ProviderName="Microsoft-Windows-DNS-Client" FormattedMessage="DNS query is completed for the name baidu.com, type 1, query options 2,392,538,375,913,472 with status 0 Results 110.242.68.66;39.156.66.10;110.242.68.134;220.181.33.31;36.152.45.193;112.80.248.64;14.215.178.80;111.45.3.226;180.76.76.92;240e:bf:b801:1002:0:ff:b024:26de;240e:940:603:4:0:ff:b01b:589a; " QueryName="baidu.com" QueryType="1" QueryOptions="2,392,538,375,913,472" QueryStatus="0" QueryResults="110.242.68.66;39.156.66.10;110.242.68.134;220.181.33.31;36.152.45.193;112.80.248.64;14.215.178.80;111.45

rep

Total alloced IPv4: 14380288
Top 100 Orgs total alloced: 2421760 (~17%)
-------------------------------------------------------------------------+-----------+----------+---------+--------------------------+------------------------------------------------------+
|                                 Org Name                                | LIR Count | IP Count | % total |        Mask Count        |                  LIR Names (max 3)                   |
+-------------------------------------------------------------------------+-----------+----------+---------+--------------------------+------------------------------------------------------+
|                 TT1 Datacenter UG (haftungsbeschraenkt)                 |     72    |  72704   | 0.50558 |     70x /22, 2x /23      |               de.tt1data, de.tt1data10               |
|                           Prager Connect GmbH                           |     70    |  70656   | 0.49134 |     68x /22, 2x /23      | at.allocate-like-its-1999, at.allocate-like-its-1999 

rep

16716594 n003-000-000-000.static.ge.com
11063439 nothing.attdns.com
4975683 hn.kd.ny.adsl
2683538 static.kpn.net
2647717 localhost
1759131 walmart.com
1098677 unknown.Level3.net
1024262 
 774367 no-dns-yet.demon.co.uk
 528853 no-data

rep

#!/usr/bin/python
# -*- coding: utf8 -*-

import sys
import os
import time
import select
import socket

import pycares

rep

import math
import md5
import re
import socket
import select

class Disconnect(Exception):
    pass
class Timeout(Exception):
    pass

rep

#!/usr/bin/env python

# Author: Mark Schloesser (mark_schloesser@rapid7.com)
# Description: filter and convert internet census 2012 serviceprobes

# usage:
# convert_census_probes.py <port number> <output pcap path>
#  (uses the port number for the TCP header in the PCAP)

# example:

rep

# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

@def	$INTERNET="eth0";
@def	$HOSTONLY0="vboxnet0";
@def	$HONET0="192.168.56.0/24";

@def	$VBOX0_INET=1;

rep

function oidDate(e){
  return new Date(parseInt(e.substring(0,8),16)*1e3)
};
oidDate("50c5c0e8db1434180bfb062b")
Mon Dec 10 2012 12:00:56 GMT+0100 (CET)

rep

import time
import gevent
import gevent.socket

def sleep():
	with gevent.Timeout(2):
		gevent.sleep(1)
		print 'after sleep'

def resolve():

rep

import os
import struct
import pylibemu

emu = pylibemu.Emulator()

# shellcode uses this address for the winexec call as cmdline
# modify it to see different emu_profile_output
emu.memory_write_dword(0x41414243, 0x41414141)
# this is used as exitprocess exitcode